From 192dff76e49b39794fe53eb92c9d9d852b76bf0a Mon Sep 17 00:00:00 2001 From: Cyrille Bagard Date: Tue, 14 Nov 2023 09:08:21 +0100 Subject: Handle small base64 encodings which may produce few patterns. --- plugins/encodings/rost/base64.c | 17 ++++++++++++++++- tests/analysis/scan/fuzzing.py | 18 ++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/plugins/encodings/rost/base64.c b/plugins/encodings/rost/base64.c index 5472ec0..adbb2fb 100644 --- a/plugins/encodings/rost/base64.c +++ b/plugins/encodings/rost/base64.c @@ -326,7 +326,22 @@ static bool g_scan_base64_modifier_transform(const GScanBase64Modifier *modifier result = base64_encode(&tmp_in, &tmp_out); if (!result) goto exit; - strip_base64_modifier_output(&tmp_in, &tmp_out, 1, binary++); + strip_base64_modifier_output(&tmp_in, &tmp_out, 1, binary); + + /** + * Lors qu'un unique octet est encodé, cet octet ne produit aucun + * caractère que ne dépend que de lui : + * + * | X | + * 1 2 3 4 5 6 | 7 8 1 2 3 4 | 5 6 7 8 1 2 | 3 4 5 6 7 8 + * + * Les compteurs sont alors diminués. + */ + + if (binary->len == 0) + (*dcount)--; + else + binary++; exit_szstr(&tmp_out); diff --git a/tests/analysis/scan/fuzzing.py b/tests/analysis/scan/fuzzing.py index 1957f72..1bebdd3 100644 --- a/tests/analysis/scan/fuzzing.py +++ b/tests/analysis/scan/fuzzing.py @@ -249,3 +249,21 @@ rule test { ''' self.check_rule_failure(rule) + + + def testSmallBase64(self): + """Handle small base64 encodings which may produce few patterns.""" + + rule = ''' +rule test { + + bytes: + $a = "0" base64 + + condition: + $a + +} +''' + + self.check_rule_failure(rule) -- cgit v0.11.2-87-g4458